As use of portable media and transient electronic devices has grown, adversaries have quickly fine-tuned their approaches to leverage these devices to breach otherwise difficult to access systems. As a result, Transient Cyber Assets (TCAs) pose a serious cybersecurity risk to just about every industry.
Recognizing this wide-spread threat, the NERC CIP Standards Development Team developed a set of requirements for the power industry to address the use of TCAs. These requirements can be found in CIP-003-7 Attachment 1 for Low Impact and CIP-010-2 Requirement R4 for Medium and High Impact.
Unfortunately, many organizations struggle with implementing controls to address TCAs. Most often the difficulty comes when trying to create TCA policies for current practices, rather than modifying existing practices to meet TCA policies. Luckily, the North American Transmission Forum (NATF) published the NATF Transient Cyber Asset Guidance document to provide direction on developing, implementing, and assessing a TCA program.
The NATF guidance provides three implementation models for addressing TCAs, details on how to assess the implementation, and two implementation examples.
Which TCA Implementation Model is Right for You?
Adopting an implementation model depends largely on your organizational and technological needs. Regardless of the model or combination of models you choose, make sure you collect evidence that shows you are compliant. Additionally, using any of these models does not relieve your organization of the responsibility of detecting unauthorized TCAs. Keep these two points in mind as you develop your TCA program.
The three approach models the NATF guidance document recommends are:
- Prohibited Use Model
- On-demand Use Model
- Ongoing Use Model
The Prohibited Use Model is by far the easiest model to implement from a policy perspective. Essentially, this model prohibits the use of any TCA and requires no cybersecurity checklist or TCA asset tracking. Easy, right?
Before you jump onboard, the Prohibited Use Model does pose some significant technological challenges. Maintenance and diagnostic tools are often found on organization-owned TCAs. In some cases, vendor diagnostic and testing tools are only allowed on vendor-owned, not organization-owned, laptops. The NATF guidance provides information on how to accomplish a prohibited use model while addressing some of these restrictions, such as introducing Protected Cyber Assets (PCA) to house these tools.
The On-Demand Use Model and Ongoing Use Model are similar in many respects. Both require the requirements in Sections 1 and 2 of CIP-010-2 Attachment 1 be met. Also, both require any TCA that has been previously approved and is approaching the 30-day cutoff be removed from the Bulk Electric System (BES), have patches applied and anti-virus updated, and be re-authorized for use within the BES environment.
Additionally, the On-Demand Use Model and Ongoing Use Model require controls in place to prevent a TCA from being simultaneously connected to a BES and non-BES network. These controls can be technological, procedural, or both.
The On-Demand Use Model appears to be the most flexible model, as it allows the use of multi-purpose devices, such as corporate and vendor laptops, to perform maintenance in a BES environment. The model allows a TCA to be used on-demand and therefore, only needs to meet the NERC CIP requirements prior to being connected to a BES environment. However, the On-Demand Use Model is perhaps the most challenging model to use as compliance evidence will most likely have to be gathered manually. Forgetting to collect evidence just once would result in non-compliance.
With the Ongoing Use Model, TCAs are dedicated to performing TCA functions only. Ongoing compliance requires that an approved TCA device is in a secure state and ready for use at any time for TCA functions. This typically requires that TCAs are regularly connected to a dedicated network with anti-virus and patch updates. With a dedicated network, it is easier to track each TCA device compliance and setup notifications if a TCA device has not been updated in the last 30 days. Careful consideration is needed as to whether these ongoing TCA devices are assigned to individuals or groups, and where the TCAs are kept when not in use.